Zach White

GDPR: What You Need to Know

Posted
on May 3, 2018

Businesses, large and small, are in the midst of preparing for compliance with the European Union’s (EU) new data privacy law: The General Data Protection Regulation, or the GDPR, which will go into effect on May 25, 2018.

The GDPR is very broad in scope and can apply to businesses both in and outside of the EUBusinesses that don’t comply with the GDPR could face heavy fines.

Here’s what you need to know about GDPR. (Note: you should consult your own legal counsel to determine if you are subject to the requirements of GDPR.)

What is GDPR?

GDPR is short for the General Data Protection Regulation. It was passed by the European lawmakers to strengthen and harmonized data privacy laws across all the EU member states and will officially be enforceable on May 25, 2018. Its purpose is to:

support privacy as a fundamental human right;

require organizations that handle personal data to be accountable for managing that data appropriately; and

give individuals rights over how their personal data is processed or otherwise used.

What is personal data?

In a nutshell, GDPR defines personal data as “any information relating to an identified or identifiable natural person.”

Ok, so what does that mean?

In addition to the kinds of information you might think about – name, address, email address, financial information, contact information, identification numbers, etc., personal data can in some cases be information related to your digital life, like an IP address, geolocation, browsing history, cookies, or other digital identifiers.

It also could mean information about a person, including their physical, mental, social, economic or cultural identities.

In short, if information can be traced back to or related in some way to an identifiable person, it is highly likely to be personal data. You can find out more about the GDPR here.

What rights does the GDPR provide to individuals?

There are several rights an individual may exercise under the GDPR, including:

Right of access: Individuals can ask for a copy of the personal data retained about them and an explanation of how it is being used.

Right to rectification: Individuals have the right to correct, revise or remove any of the personal data retained about them at any time.

Right to be forgotten: Individuals can ask to delete their personal data.

Right to restrict processing: If an individual believes, for example, that their personal data is inaccurate or collected unlawfully, the individual may request limited use of their personal data.

Right of portability: Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format.

Right to object: Where an individual decides that they no longer wish to allow their personal data to be included in analytics or to receive direct marketing emails or other personalized (targeted) marketing content at any time, the individual may opt out of use of their data for these purposes.

Please note that these rights are not absolute, and limitations/exceptions may apply in some cases.

What is MOJO Marketplace doing to comply with the GDPR?

We are committed to achieving compliance with the GDPR by May, 25 2018. We are reviewing and updating, as necessary, our agreements with you and with our subcontractors (to include the necessary GDPR terms). We are also updating our Privacy Policy, Terms of Service, internal processes, features, and templates to assure our compliance.

The MOJO Marketplace Privacy Statement explains what information we collect about you as a MOJO Marketplace customer and how your personal data may be used by MOJO Marketplace.We suggest that you review how this applies to you.

Note that we will be updating our privacy statement to align with GDPR. No worries, though, we’ll send all users a notice letting you know that it will be changing, so you’ll know what to expect.

Some responsibilities under the GDPR you should understand

Generally speaking, there are two types of parties that have a responsibility regarding the handling of personal data: the “controller” and the “processor.”

A “data controller” determines the purposes, conditions and means of the use of personal data. This means that controllers retain primary responsibility for data protection.

A “data processor” on the other hand, only acts on the instructions of the “controller” and processes personal data on their behalf. The GDPR places some direct responsibility on processors, as well.

It is important to understand whether you are acting as a controller or a processor, and understand your responsibilities accordingly.

How does the GDPR affect my business?

Individuals, companies, or businesses that have a presence in the EU or, if no presence, offer goods or services to, or monitor the behavior of, individuals in the EU need to comply with this law. Please consult with your own legal counsel about whether GDPR applies to you and your business.

If the GDPR applies to you, there are various obligations you will need to comply with in order to continue doing business with your customers from the EU. Luckily, not all of these obligations are new, so you should be complying with some of them already.